Re: [PEN-TEST] Expand right under Win2K

["Aidan O'Kelly" <okelly () XNET IE>]

I found the best way is to look around for programs that dont have their
rights properly set, for example, the admin just copied an exe while as a
user, and occasionly runs it as administrator, write a small exe that checks
what user called it, if it was an admin then do whatever u want to it and
call the original(now renamed and put somewhere else). and otherwise just
run the program as normal. Now, having said that, I've only tried it on NT 4
Win2k might be better at setting the rights and not letting IUSR_<mach>
overwrite files. But there could well be some exe lying around with write
permissions for everyone.

> -----Original Message-----
> From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
> Of Paul Cardon
> Sent: Friday, January 12, 2001 11:09 PM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: [PEN-TEST] Expand right under Win2K
>
>
> Matthew Pemble wrote:
> > Tamas wrote:
> >
> > > Does anyone knows any password brute forcer that works without
> > > accessing the SAM file?
> > >
> > > We are still eager to hear further ideas on this issue
> since nothing
> > > that we tried worked yet.
> >
> > If you can't get the SAM, can you run a packet sniffer on the target
> > machine?  If so, grab the NTLM authentication hashes and L0phtcrack
> > can process them.  Much, much slower than SAM cracking, though.
> >
> > You ought to be able to run a program within the IUSR context, your
> > ability to install will depend on the individual sniffer.
>
> Repeat after me everybody:
>
>    "I am on a Win2K box using the IUSR_<blah> account gained
> via the IIS
> Unicode vulnerability.  I do not have Administrator privileges.  I can
> only get to what a non-privileged user can access which is why the SAM
> repair file is not readable."
>
> It's getting frustrating that people aren't paying attention or don't
> understand the scenario that was originally introduced, but hey, I'm
> still smiling. :^)
>
> Now, I honestly don't know of a sniffer that can be installed without
> Administrator privilege.  If you can install a sniffer without those
> privs it seems like you could do plenty of other nasty stuff on that
> server.
>
> local.exe and global.exe from the resource kit can be used along with
> dumpsec.exe to determine which user accounts on the server or
> domain are
> in Administrator groups and will help you find the
> Administrator account
> even if it has been renamed.
>
> Somebody already mentioned SMBgrind for brute force login attempts.  A
> similar tool (NetBIOS Auditing Tool) can be found at:
>
>     http://www.nmrc.org/files/snt/nat10.tar.gz
>
> and doesn't require you to have a copy of CyberCOP around.
>
> Keep in mind that it will only be effective if the admin
> hasn't bothered
> to restrict the number of failed login attempts.
>
> -paul